14.02.2018

.com continues to be the TLD with the most botnet controller domain names being registered (14,218) however it is .pw (Palau) that has a worryingly high number of problematic domain names (8,587). While a ccTLD, .pw is being promoted as more of a generic TLD.

Registration numbers for .pw are not easy to find, but back in 2013 the registry announced it had passed the 50,000 registrations mark a month after it began promoting itself as an option for the “professional web”. This compares to .com which today has around 130 million registrations. In the report, Spamhaus note they have seen a vast amount of botnet controller domain names being registered in .com and .pw.

The third most abused TLD was .info with 3,707 domain names that Spamhaus says cybercriminals chose most often for their botnet operations while there are 6 million registrations. Fourth was .top, the first of the new gTLDs, with 3,546 botnet domain names and 2.2 million registrations at the end of 2017.

Following was .org (2,516 and 10.3m) and .net (1,607 and 15.0m) while the first of the ccTLDs was Russia’s .ru who was sixth with 1,370 botnet domains and 6.4 million registrations.

To get a (botnet) domain name registered, cybercriminals need to find a sponsoring registrar. For larger registrars it’s just not possible to be aware of every domain name registered and how they’re used. But there are a number of mostly smaller registrars on the list and some registrars are obviously not overly vigilant in ensuring criminals aren’t using their registration services.

A botnet controller, commonly abbreviated as "C&C" from “command and control”, Spamhaus explains, is used by fraudsters to both control malware infected machines and to extract personal and valuable data from malware infected victims. Botnet controllers therefore play a core role in operations conducted by cybercriminals who are using infected machines to send out spam, ransomware, launch DDoS attacks, commit ebanking fraud, click-fraud or to mine cryptocurrencies such as Bitcoin. An infected machine can be a desktop computer, mobile device (like a smartphone) but also an IoT device (Internet Of Things) device such as webcam or network attached storage (NAS) that is connected to the internet.

Looking forward to 2018, Spamhaus says there is no sign that the number of cyber threats will decrease, and they see a continuing large increase of Internet of Things (IoT) threats.

Spamhaus recommends that due to the increase of botnet controllers, network owners block traffic to anonymisation services like Tor by default and provide users who want or need to access to services the possibility to "Opt-In". They would also like to see Registries and Registrars taking their responsibility seriously by implementing appropriate mechanisms to prevent fraudulent domain registrations.